Wouldn’t it be nice to know just how, exactly, the spy agency determines when to let vendors, and the vulnerable users of their products, know about new flaws?
Wouldn’t it be nice to know how long the NSA silently sits on those zero days, leaving businesses and individuals with their bellies exposed, as it exploits vulnerabilities for spying purposes?
The Electronic Frontier Foundation (EFF) has stepped up to help find answers to those questions.
On Tuesday, the EFF filed a Freedom of Information Act (FOIA) lawsuit against the NSA and the Office of the Director of National Intelligence (ODNI) to access documents showing how intelligence agencies choose whether to disclose zero days.
In April 2014, Bloomberg News published a story alleging that the NSA had secretly exploited the Heartbleed bug in the OpenSSL cryptographic library for at least two years before the public learned of the devastating vulnerability.
The White House strongly denied the allegations, claiming that the government has a “bias” toward responsible bug disclosure and that it had developed a new “Vulnerability Equities Process” for deciding when to share vulnerabilities with companies and the public.
That process dictates that, unless there’s a “clear national security or law enforcement need”, the process is biased toward responsibly disclosing vulnerabilities.
The White House said that the process is based on “principles to guide agency decision-making” including “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.”
The public hasn’t been told what those principles are.
The EFF filed a FOIA request for records related to the processes on 6 May.
As yet, there haven’t been any documents forthcoming, despite ODNI having agreed to expedite the request, the EFF says.
The digital privacy rights group on Monday filed a FOIA complaint for injunctive relief.
After all, EFF Global Policy Analyst Eva Galperin said, as intelligence agencies eschew responsible disclosure to milk zero days so as to infiltrate targeted computers or devices, the public languishes, unprotected from identity thieves and other governments that might also be aware of – and exploit – unpatched vulnerabilities.
Since these vulnerabilities potentially affect the security of users all over the world, the public has a strong interest in knowing how these agencies are weighing the risks and benefits of using zero days instead of disclosing them to vendors.